RE: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 -working now-

From: Vernet Jerome <>
Date: Thu, 4 Apr 2013 13:56:16 +0200


Here my configuration. What seems to be the link between SQUID and dansguardian is this line
cache_peer parent 8080 7 no-query no-digest no-netdb-exchange

Wich squid 3.3 reject (among other thing)

/home/sysres01>more /etc/squid/squid.conf
http_port 3128
cache_peer parent 8080 7 no-query no-digest no-netdb-exchange
acl NOBELAMBRA url_regex -i "/etc/squid3/nocache.url"
cache deny NOBELAMBRA
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 32 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 256 KB
# 256 KB
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 4096
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
cache_dir ufs /var/spool/squid3 3120 16 256
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
emulate_httpd_log off
log_mime_hdrs off
debug_options ALL,1 33,0 29,1
log_fqdn on
#ftp_list_width 128
#ftp_passive on
#ftp_sanitycheck on
dns_retransmit_interval 2 seconds
#JV 18/10/2011 pour corsica
dns_timeout 20 secondes
#AUTHENFICATION: get user/passwd
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 8
auth_param basic realm AD2003.INTRA
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off
#Appertenance aux groupes AD2003
external_acl_type ad_group %LOGIN /usr/lib/squid3/
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 3600 seconds
request_header_max_size 200 KB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min -1 KB
quick_abort_max 128 KB
quick_abort_pct 95
negative_ttl 1 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 2 minute
range_offset_limit 0 KB
connect_timeout 4 minute
request_timeout 5 minutes
persistent_request_timeout 60 second
shutdown_lifetime 10 seconds
#acl all src all
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 # https
acl SSL_ports port 8000 # https
acl SSL_ports port 8080 # https
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 4280 # http
acl Safe_ports port 8000 8080 # http
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny CONNECT !SSL_ports
http_access allow CONNECT SSL_ports
acl proxy dst
http_access allow proxy
http_access deny to_localhost
acl Authenticated proxy_auth REQUIRED
#acces non filtré pour www-directaccees: ne passe pas par DANSGUARDIAN
acl directaccess external ad_group www-directaccess
#accès filtré passe par DANSGUARDIAN
acl activefilter external ad_group www-activefilter
#Pas d'authentification ni de DANSGUARDIAN pour ces domaines
acl directurls dstdomain "/etc/squid3/directurls"
http_access allow directurls
always_direct allow directurls
http_access allow localhost
acl restrictedfilter01 external ad_group www-restricted01
acl restrictedfilter02 external ad_group www-restricted02
acl goodsites01 url_regex "/etc/squid3/contentlist01"
acl goodsites02 url_regex "/etc/squid3/contentlist02"
http_access deny !Safe_ports activefilter
http_access deny !Safe_ports restrictedfilter01
http_access deny !Safe_ports restrictedfilter02
http_access allow goodsites01 restrictedfilter01
http_access allow goodsites02 restrictedfilter02
http_access allow directaccess
always_direct allow directaccess
http_access allow activefilter
http_access allow directaccess SSL_ports
http_access allow activefilter SSL_ports
http_access deny restrictedfilter01
http_access deny restrictedfilter02
http_access deny !Authenticated !localhost
http_access deny all
http_reply_access allow all
icp_access allow all
#cache_peer_access puck allow activefilter
#cache_peer_access puck deny all
reply_header_max_size 20 KB
cache_effective_user proxy
cache_effective_group proxy
visible_hostname belambra
cachemgr_passwd proxy all
always_direct allow localhost
always_direct allow directurls
never_direct allow activefilter
forwarded_for off
never_direct deny all
error_directory /var/hera/squiderrors
coredump_dir /var/spool/squid3
client_persistent_connections on
server_persistent_connections on
detect_broken_pconn on
pipeline_prefetch on

-----Message d'origine-----
De : Amos Jeffries []
Envoyé : jeudi 4 avril 2013 13:28
À :
Objet : Re: [squid-users] RE: Upgrading SQUID from 3.1.6 to 3.1.23 -working now-

On 4/04/2013 9:56 p.m., Vernet Jerome wrote:
>>> Now, I will try 3.3. Lot of change have to be made in my squid.conf.
> Managed to have a build OK, but with my squid.conf, it do not work at
> all with
>>> dansguardian and ntlm_auth.
>> What do you mean? what is the new problem?
> Well, ntlm_auth (or) and AD2003 group access ACL do not work anymore
> like it was done in my 3.1 config. Removed.
> Then, the way the configuration was done (not by me) to make work
> Dansguardian and SQUID do not work anymore (see my previous squid.conf
> message).

You said you had them together, but I see no details in this thread about how they were connected. Squid and DG are completely separate proxies, so there are a few ways to set them up and several ways to do auth through each of those setups.

Erm. "SQUID" is an electonic curcuit type. ;-)

> For the moment, I cannot figure how I can make it work again with
> SQUID 3.3.

There should be no difference. But if you can share the config details I'm happy to have a look at it for you.

Received on Thu Apr 04 2013 - 11:53:37 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 04 2013 - 12:00:04 MDT